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THE DNA BOX 

Hacking Cellular Phones 

by 

The Outlaw Telecommandos 



PART 



FOUR 



Preliminary technical info about the AMPS (Advanced Mobile Phone System). 

MOBILE TELEPHONE SWITCHING OFFICE (MTSO) 

Cell Control Sites (Towers) are connected to the Mobile Telephone Switching 

Office (MTSO) by a pair of 9600 baud data lines, one of which is a backup. 

The MTSO routes calls, controls and coordinates the cell sites (especially 

during handoffs as a mobile phone moves from one cell to another while a 

call is in progress), and connects to a Central Office (CO) of the local 

telephone company via voice lines. 

There is some indication that an MTSO may be re-programmed and otherwise 

hacked via standard phone lines using a personal computer/modem. 

NUMERIC ASSIGNMENT MODULE (NAM) 
There is a PROM chip in every cellular phone that holds the phone number (MIN) 
assigned to it. This is the "Numerical Assignment Module" or NAM. Schematics 
and block diagrams occasionally call this the "ID PROM". The NAM also 
holds the serial number (ESN) of the cellular phone, and the system ID (SID) 
of the mobile phone's home system. 

By encoding new PROM chips (or re-programming EPROM chips) and swapping them 
with the originals, a cellular phone can be made to take on a new identity. 
It is possible to make a circuit board with a bank of PROMs that 
plugs into the NAM socket, and allows guick switching between several 
phone ID's. It's even feasible to emulate the behavior of a PROM with 
dual-port RAM chips, which can be instantly updated by a laptop computer. 

A photograph of a "BYTEK Sl-KX NAM Multiprogrammer" suggests that this 
"sophisticated piece of equipment" is merely a relabled generic PROM burner. 

MOBILE IDENTIFICATION NUMBER (MIN) 
The published explanations of how to compute this number all contain 
deliberate errors, probably for the purpose of thwarting phreaks and people 
attempting to change the serial numbers and ID codes of stolen phones. 
Even the arithmetic is wrong in some published examples! 
Until the FCC/IEEE spec is available (a trip is planned to a university 
engineering library) the following is almost certainly the way that MIN is 
computed, taking into consideration how such codings are done elsewhere, 
comparing notes and tables from a variety of sources, and using common sense. 

A BASIC program (MIN.BAS) that computes MINs from phone numbers is being 
distributed with this file. 

There are two parts to the 3 4 -bit MIN. 

They are derived from a cellular phone number as follows: 



Subscriptions to TAP Magazine. 

United States $10.00 / 10 Issues 
Canada $15.00 / 10 Issues 
Overseas $25.00 / 10 Issues 
Sample Issues $2.00 & SASE 
Donations Greatly Appreciated 
BBS Phone #502/499-8933 
New User Password Below. 
Columbian Coke 



MIN2 - a ten bit number representing the area code. 

Look up the three digits of area code in the following table: 



Phone Digit: 
Coded Digit: 



1234567890 
0123456789 



Continued next page 



A 15 bit binary number representing a mobile phone's home cellular system. 



(Or just add 9 to a digit and use the right digit of the result) 

Then convert that number to a 10-digit binary number: 

For example, for the (213) area code, MIN2 would be "j*. 

which expressed as a 10-digit binary number would be 0001100110. 

Area Code =213 (get Area Code) 

102 (add 9 to each digit modulo 10, or use table) 
MIN2 = 0001100110 (convert to binary) 

MINI - a 24 bit number representing the 7-digit phone number. 

The first ten bits of MINI are computed the same way as MIN2, only 

the next 3 dicrits of the phone number are used. 

Tne middle four bits of MINI are simply the fourth digit of the phone number 

expressed in binary (Remember; a "0" becomes a "10"). **„*+* of 

The last next ten bits of MINI are encoded using the final three digits of 

the phone number in the same way. 

So, MINI for 376-0111 would be: 

(get Phone Number) 376 111 

(modify digits where appropriate) 265 (10) 0°° ^^^n^n 

(convert each part to a binary number) 0100001001^1010^0000000000 

Thus the complete 34-bit Mobile Identification Number for (213)376-0111 is: 
376 111 213 



/ V \/ v \ 

MIN = 0100001001101000000000000001100110 

\ A / 



MINI 



MIN2 



5T23S SEfflFS/SJ. L encoded as a 32 bit binary number. 

Available evidence suggests that the ESN is an 8-digit hexadecimal 
number, which is encoded directly to binary: 

Serial Number * 821A056F 

Diqits «821A056F 

ESN « 0001 0001 0001 1010 0000 0101 0110 1111 

Here is a table for converting Hexadecimal to Binary: 

Hex Binary Hex Binary Hex Binary Hex Binary 



n 


0000 


4 


0100 


8 


1000 


c 


1100 


i 


0001 


5 


0101 


9 


1001 


D 


1101 


? 


0010 


6 


0110 


A 


1010 


E 


1110 


3 


0011 


7 


0111 


B 


1011 


F 


1111 



SYSTEM IDENTIFICATION (SID) 



CELLULAR PHONE FREQUENCIES 

Here, again, are the frequency range assignments for Cellular Telephones: 

Repeater Input (Phone transmissions) 825.030 - 844.980 Megahertz 
Repeater Output (Tower transmissions) 870.030 - 889.980 Megahertz 

There are 666 Channels. Phones transmit 45 MHz below the corresponding 
Tower channel. The channels are spaced every 30 KHz. 

These channels are divided into H Nonwireline H (A) and "Wireline" (B) services. 

Nonwireline (A) service uses the 825-835/870-880 frequencies (channels 1-333) 
Wireline (B) service uses the 835-845/880-890 frequencies (channels 334-666) 

A channel is either dedicated to control signals, or to voice signals. 
Digital message streams are sent on both types of channels, however. 

There are 21 control channels for each service. 

Non-Wireline (A) control channels are located in the frequency ranges 
834.39 - 834.99 and 879.39 - 879.99 (channels 312 - 333 ) 

Wireline (B) control channels are located in the frequency ranges 
835.02 - 835.62 and 880.02 - 880.62 (channels 334 - 355) 

The new 998 channel systems use 332 additional channels in the ranges 
821-825/866-870 and 845-851/890-896. 

Cell Control Sites (Towers) are connected to an MTSO (Mobile Telephone 
Switching Office) which connects the cellular system to a Central Office (CO) 
of a conventional telephone system. 

Each Cell Control Site uses a maximum of 16 channels, up to 4 of which 
may be control channels. There will always be at least 1 control channel 
available in each cell. Cellular Towers are easily identified by the 
flat triangular platforms at the top of the mast, with short vertical 
antennas at each corner of the platform. 

Most UHF Televisions and cable-ready VCR's are capable of monitoring 
Cellular Phone channels. Try tuning between UHF TV channels 72 - 76 for 
mobile phones, and between UHF TV channels 79 - 83 for towers. 

SUPERVISORY AUDIO TONE (SAT) 

A mobile phone must be able to recognize and retransmit any of the 

three audio frequencies used as SAT's. 

These tones (and their binary codes) are: 

(00) 5970 Hz 

(01) 6000 Hz 
(10)' 6030 HZ 

The SAT is used during signaling, but not during data transmission. 

The binary codes are sent during data transmission to control which of the 

SAT tones a mobile phone will be using. 

Each cell site (or tower) uses only one of the three SATs. The mobile 



Continued next page 



Continued next page 



transmitter returns that sane SAT to the tower. 

Tone recognition Bust take place within 250 milliseconds. 



SIGNALING TONE (ST) 

A 10 KHz tone is used for signaling by mobile phones during alert, handoff , 

certain service requests, and diconnect. 

DATA TRANSMISSION 

Cellular Phones use a data rate of 10 Kilobits per second, and must be 

accurate to within one bit per second. 

Frequency Modulation (FM) is used for both voice and data transmissions. 

Digital data is transmitted as an 8KHz frequency shift of the carrier. 

A binary one is transmited as a +8KHz shift and a binary zero as a -BKHz 

shift. NRZ (Non-Return to Zero) coding is used, which means that the carrier 

is not shifted back to it's center frequency between transmitted binary bits. 



SLJsing"VMSmailwiUi EDT 



Boulder Campus Mail Address Formats 
From VMS machines: 

Destination Address Format 



Example 



Your VMS host 
Another VMS host* 
UNIX host 
BITNEThost 
Internet host 
unknown UCB host 



user name 

VMS-host : :vsername 

in: : "username§host" 

in : : "usernameBhost " 

in: : "usernameBhost . domain " 



jdoe 

jila::jdoe 

in : : "doegboulder 

in : : - jdoe8oberlin M 

in : : "tomghao . ucar . edu" 



in : : "usernameBhost . Colorado . edu" in : : H f riendgmystery . Colo- 
rado, edu" 



* While most VMS usemames follow the lastnazne_f irst initial (and possibly middle initial) 
syntax, this convention isn't consistent across the campus. Please be aware of this inconsistency 
before you send electronic mail to users on other systems. Consult 41 1, the on-line electronic mail directory 
for assistance. 



'Desert Storm" Productions Presents: 
Baghdad's First Ever 

Air Show! 




Round'The'Ct&Qk Demonstrations By: 

Air Force* Marines* Army* Navy 

Free Admission - Free Parking (Bomb Shelters Available) 

Show Begins January 16, 1991 S!SJ?RS2" 

Bombing Demonstration* "Smart Bomb' ChimneyrDrop Contest 
Cruise Missile Fly-By's Invasion Tactics 

Runway Demolitions Wire-Guided And-Tank Ordinance 

Supersonic Overhead Passes 30MM Armor-Piercing Ammunition 
20MM Strafing Runs 7.62MM Mini-Gun Shoot*Off 

Ground 1>oop Maneuvers Artillery Duels 

Special Might Show (starts at sundown): Tracer dr Incendiary Ammunition Demo 

Cluster Bomb •House-Cleaning* 
Anti-Aircraft Gun exhibitions 





F-4 Wild Weasels 
A-6 Intruders 
F-1S Hornets 



B-52 Stratofortreeses 
F-1S Eagles 
A-10 Wart Hogs 



Added Attraction! Special Off-Site Missile Tournament; "Scud's. versus the Patriot 1 !". 

' 'teld nightly In nearby Tel Aviv (shuttle busses depart every 30 minutes). 

• Also includes admission to Israel's First Annual Nerve Gas Festival (gas masks Included). 



Free Gift! 



The first 500 people daily receive an official U.S. Government "Gun Camera - video. 
Tape also Includes recent satellite reconnaissance photos (specify VHS or Beta). 



Monthly charge eliminated for blocking 
"900" and "976" calls; installation charge warn 



A variety of entertainment and information is available via "900" 
and "976" services. These services allow vendors to offer recorded 
messages such as sports updates/ stock market reports, medical an 
legal advice, jokes and other information over telephone lines. 

"900" and "976" services are provided by "information service" ven- 
dors. These vendors are solely responsible for the quality and con- 
tent of their messages. Each call to a "900" or "976" telephone num- 
ber will result in an additional charge on your telephone bill. The 
amount of the charge is set by the vendor of the service, not by 
South Central BelL 



South Central Bell offers options for blocking calls to "900" and "976" 
numbers. There is only a small one-time fee for providing this blocking 
service. If you request "900/976" blocking between April 15, 1991 and 
June 15, 1991, South Central Bell will waive the installation fee associ- 
ated with blocking. Monthly M 900/976 M blocking fees have been elimi- 
nated. 

If you currently subscribe to "900/976" blocking, it is not necessary to 
contact South Central Bell. Your monthly fee will automatically be elimi- 
nated from your bill. 

For more information or to sign up for blocking options, please call your 
SCB service representative during regular business hours at 557-6500 
(residence customers) or 557-6000 (business customers). There's no charge 
for calling either number. 



© 



South Central Ball 



911 



Incident Initiation 
Telephone 



Officer 



Call-Taker 



__ ED 

information to System | 



I 



Incident Typ 



pej 



Address 



n 



Other 



I , 

| verify Address | 



Create 
Associated 
Incidents? 



Checfc 

for Duplicate 

Incidents 



Automatic System Functions 

•Creates Incident Record, Including: 
-Date and Time 
-Priority 
-Beat and Sector 
-Fire Response Zone 
-operator and Console IDs 
-Location Detail 

•inserts Premise Data Indicator 

•inserts Flags for: 

-Complainant Contact Request - COM 

-Fire Ambulance Request - tab 

-Non-Operating Hydrants - HYD 

-Previous Incidents - Am - 

•Routes incident to Dispatcher 

-With Dispatch Recommendation 



Pending incidents 
Ready for Dispatch 



Waging war against 



State 

Alabama 

Alaska 

Arizona 

Arkansas 

California 



Colorado 

Connecticut 

Delaware 

District of Columbia 

Florida 



Georgia 



Hawaii 

Idaho 

Illinois 



Indiana 

Iowa 

Kansas 

Kentucky 

Louisiana 

Maine 

Maryland 

Massachusetts 

Michigan 
Minnesota 



800 Prefix 

633 

544 

528 

643 

227 

421 

423 

854 

824 

538 

235 

344 

358 

525 

255 

243 

441 

424 

368 

327 

237 
*874* 

841 
*241 

554 

367 
*635 

621 

323 

637 

435 

447 

851 

428 

457 

348 

553 
♦247 

831 

835 

255 

626 

354 

535 

551 

341 

368 

343 

225 

628 

253 

521 

338 

517 

328 

533 
*346 



NPA served 



<205> 
<907> 
<602> 
<501> 
<415> 
<213> 
<213> 
<714> 
<916> 
<408> 
<805> 
<209> 
<707> 
<303> 
<303> 
<203> 
<302> 
<202> 
<202> 
<305> 
<813> 
<904> 
<912> 
<404> 
<404> 
<808> 
<208> 
<312> 
<312> 
<217> 
<815> 
<309> 
<618> 
<317> 
<812> 
<219> 
<319> 
<515> 
<712> 
<316> 
<913> 
<502> 
<606> 
<504> 
<318> 
<207> 
<301> 
<617> 
<617> 
<413> 
<616> 
<313> 
<906> 
<248> 
<612> 
<507> 
<218> 




For high volume traffic 



TAP Maqazin* 
P.O. Box 2026H 
Loui/vilI«, KV H0250-O164 




Mississippi 


647 


<601> 




Missouri 


821 


<816> 






325 


<314> 






641 


<417> 




Montana 


*548* 


<406> 




Nebraska 


228 


<402> 






445 


<308> 




Nevada 


*634 


<702> Las Vegas 






648 


<702> Reno 




New Hampshire 


258 


<603> 




New Jersey 


257 


<609> 




New Mexico 


545 


<505> 




New York 


223 


<212> 






847 


<607> 






221 


<212> 






431 


<914> 






828 


<716> 






645 


<516> 






448 


<315> 






833 


<518> 




North Carolina 


334 


<919> 






438 


<704> 




North Dakota 


*437 


<701> 




Ohio 


321 


<216> 






543 


<513> 






537 


<419> 






848 


<614> 




Oklahoma 


654 


<405> 






331 


<918> 




Oregon 


*547* 


<503> 




Pennsylvania 


523 


<215> 






345 


<215> 






*458* 


<814> 






245 


<412> 






233 


<717> 




Puerto Rico 


468 


<809> 




Rhode Island 


556 


<401> 




South Carolina 


*845* 


<803> 




South Dakota 


*843* 


<605> 




Tennessee 


251 


<615> 






238 


<901> 




Texas 


527 


<214> 






433 


<817> 






531 


<512> 






231 


<713> 






351 


<915> 






*858* 


<806> 




Utah 


453 


<801> 




Vermont 


*451 


<802> 




Virginia 


446 


<804> 






368 


Arlington - (for D.C. 


) 




336 


<703> 




Virgin Islands 


524 


<809> 




Washington 


426 


<206> 






541 


<509> 




West Virginia 


624 


<304> 




Wisconsin 


*356 


<608> 






558 


<414> 




Wyoming 


443 


<307> 
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We Build Our Pay Phones The Same Way. 




A public phone gets a lot of use. It can also get a lot of abuse. That's why I 
Southern Bell pay phones are designed to withstand the roughest conditions ; 
and the heaviest use. 

We back our equipment with scheduled inspection and maintenance. If > • 
there ever is a problem, a service technician will repair the phone on the spot 
or replace it. Best of all, maintenance and repairs won't cost you a penny. And 
installation is free, too. 

When your pay phone is from Southern Bell, we handle all refunds, 
user complaints, fraudulent calls and collections. All you have to handle are 
the commission checks we send to you. 

Don't wait any longer. Get rolling today. Call toll free 
1 800 451-5983 and find out just how much a Southern Bell pay 
phone can offer your business. 




Southern Bel!" 
South Central Bell* 



South Central Bell now offers TouchStar (tin) services. This 
includes call tracing, call blocking, call return, repeat dialing, 
call selector, and preferred call forwarding. The call tracing and 
call blocking features bother me. They are used to cut down on the 
prank/crank calls. I personally think the phone company should not 
charge for this type of service it should be provided FREE. Everyone 
has had a prank call of some type and they should be blocked as a 
customer service not as a paid option. If anyone would like to comment 
on these new services, or has them already installed on their phone 
and would like to do an article on them please feel free to send it to 
me for a future issue. These new services can easily put a stop to 
hackers and should be explored in more detail. 






WIRELESS MICROPHONES 

HI imp mic /r - ^N HE,> B02 




9 volu 



Wireleu mic for commerical FM band. Tuning U aceomnii.K.,4 k 

l^ih. 01 -., „.„ ,n, u ,. t0d „ if . |0fleth ^ ££S^*^ '* ""?'• "P- XI '« «- by twining 2 Inch 

f • f*—' "* «« b. ,ub„j,ut.d for ,h. dynami v.Z*J .imn^H T *** " 00d '"i""' '" "* ■*«« 
directions for the mic. thi> will «;„. , ,.^ -,_, Wl-,v ** ,,mp,y ,dd,n B • '•"• «o the power sourca « .hnwun ;„ .k. 



r the mic, this will B ive Increased pickup. 



» power source at shown in the 




I 



No 16 %" x H" 



Oltri > •ut MnM tr.r«m.t1.r um „,«„,.„, ejrcul , „, " ' 

to ,h. comm.r.c.l FM b.„d di,.c«ly Irom ttnk circuit 3' .„,.nn. c.„ h. .„h.h "" DOU ' * 

—II Power supply diusMmbl , . 9 vo| , ' m „„ u" o' cl '° '"* "" #nd '" ""'•' '"*»■ '- 




.ud.o w wl „ .„,„„, . nd th . _„ j; r) r,,r sz :z c ,t i: izr*""" • dio ^ -"> >*« 
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WIRELESS MICROPHONES 



25" 



4.5/25 pi 




Loimp mic 



Range about 1-2 blocks. Low power drain.. 



A unique circuit with . tunnel diode oscillating back to bwk with • trensistor. Thi. en be constructed in . very small 
W by using . 1.3 volt mercury cell for power. LI is 6 turn, No. 16 close-wound. Tap et I turn. L2 » 2 turns No. 16 
wound 1/8". Use ceremic trimmer for L2 tenk and electrolytic for CI. 




2N708 



D.ode modulates tuned circuit in commehcal FM band. Coil is 4 turn, No. IB. V wide. I" long, tap 2 
from ground. 
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APPLIED BLUE BOXING I 

by 

OLORIN THE WHITE 



••a************************************************************************** 

* This tutorial is for informational purposes. It is NOT to be used to * 

* commit phraud, theft, or any other immoral activity. * 
••a************************************************************************** 

In this tutorial I am going to explain how a phone phreak uses an 
electronic device, known as a blue box, to control and manipulate the 
telephone network. A phone phreak is a person who practices 
phreaking, which is the art of hands-on experience learning of 
telephone network operations. A blue box is a portable, hand held 
device that resembles a small box with a touch tone keypad on it. 
This is the main tool of the phone phreak (Bell, 1971). 

Before the invention of the blue box, Ma Bell had a monopoly on 
communications. This forced the public to pay the outrageous rates 
demanded by Ma Bell. Things such as this, and the war tax added on to 
one's bill each month, produced a hatred for Ma Bell that was in the 
extreme. The blue box allowed not only the escape from the outrageous 
rates demanded by Ma Bell, which is theft of services under Federal 
law, but it also opened up the entire telephone network to whoever 
utilized a blue box (Hoffman, 1971). 

The average blue box has 12 keys, a button, and a speaker. The 
12 keys are used in routing calls. Keys 1-0 serve the same purpose as 
those on a touch tone phone. The other two keys are Key Pulse (KP), 
and STart(ST). The Multi -Frequency (MF) tones emitted for each key are 
according to a standard used for routing calls. When a person dials a 
long distance number directly, the number that person dials is 
converted to these frequencies since that is what the interoffice 
trunks respond to. Each Local Area Network (LAN) is controlled by its 
own Central Office. Interoffice trunks are network connections 
between COs (Johannessen, 1970). 

The button is pressed to emit a pure 2600 Hz tone. When trunks 
are idle, they have a 2600 Hz coming from both ends of the trunk. If 
one end stops sending 2600 Hz, then the central office at the other 
end detects the lack of- that tone and prepares that trunk for use. 
When one makes a long distance call, the central office seizes a trunk 
by ceasing the 2600 Hz tone being sent on its end of the trunk and 
then sends the appropriate number combination according to what one 
dials. When one hangs up, the 2600 Hz is put back on the line, 
letting the other end know that the trunk is now idle (Battista & 
Roscoe & Giguere, 1970). 

A phone phreak uses his blue box by calling a long distance 
number, such as 1-800-555-1212 or 1-818-407-1000, in order to be 
routed over a trunk. Local calls are not routed through trunks. When 
the other end connects, the phone phreak emits the 2600 Hz torte into 
his line. This disconnects the called party by making the central 
office at the other end think that the caller has hung up. The phreak 
then stops sending the 2600 Hz and a trunk is seized due to the lack 
of the tone from his end (Prophet, 1987). 

After seizing a trunk, the blue boxer can then enter the routing 



Continued next page 
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information using the 12 keys on his blue box. The KP key always 
precedes all numbers entered. This prepares the trunk to receive 
routing codes. After all routing information is entered, the ST key 
must be pressed to alert the equipment to start routing the 
information that has been entered (Marauder, 1986). With certain 
switching systems, the keyed routing information must be timed 
correctly rather than keyed manually. This can easily be produced by 
having a programable blue box that one can input the routing 
information into and then press a button to output the routing 
information at the proper timed intervals between MF tones. 

A blue box can be used to call numbers that one can call normally 
from any subscriber loop (home telephone), such as KP+NPA+NNX+DDDD+ST. 
NPA would be the area code, NNX the exchange, and DDDD is the last 
four digits. But, in using a blue box, a phone phreak can also access 
many other things not accessible using a touch tone phone, the scope 
of which is almost unimaginable. But, since a full discussion of the 
network is beyond the scope of this tutorial, I will only discuss a 
very small amount of these routings and their purposes (John, 1978). 

The most informative person a phone phreak can call, using his 
blue box, is the universal rate and route operator. This operator is 
reached by keying KP+800+141+1212+ST. This operator assists other 
operators with rates and routings. Since only authorized people are 
supposed to be able to call things like this, the phone phreak will 
always be assumed to be another operator. There are three routing 
types that can be requested (Tabas, 1985). 

Operator's route is used when asking for routes that are not over 
seas. Number's route is used when requesting over seas routes, and 
directories route is used for requesting operator directory assistance 
routes. The route type must be stated before requests to let the rate 
and route operator know which type a person is requesting (Tabas, 
1985). 

The inward operator is a very helpful person when it comes to 
things that someone can't do remotely or doesn't know how to do yet. 
These are just normal Traffic Services Position System(TSPS) operators 
who are assisting other TSPS operators. The TSPS operator is the 
operator one gets when one enters a from his or her own touch tone 
phone. The only difference is that when another TSPS operator calls a 
TSPS operator, it is an inward call. A light on the TSPS operator's 
console notifies that operator that the call is an inward call 
(Marauder, 1986). The format for an inward is KP+NPA+TTC+1X1+ST. NPA 
is required when calling out of your HNPA, and the Terminating Toll 
Center (TTC) code is sometimes also required along with the NPA. TTC 
codes are in the format OXX. 1X1 is the actual inward operator route. 
X represents any number from to 9. One thing that an inward 
operator can do for someone is an emergency interrupt. To request an 
emergency interrupt on a certain line, one must call an inward 
operator in the same NPA as the line to be interrupted (Agent003, 1985). 
Busy Line Verification (BLV) trunks can only be used within the NPA it is 
located. If one wished to access the BLV trunk without the help of an 
inward operator, that person would have to know the screening code for 
that trunk. Screening code formats are OXX. One would enter 
KP+OXX+NNX+DDDD+ST and he or she would be added into a 3-way port on 
the busy line (Phreaker, 1987). 

In over seas calling, one roust first dial the appropriate over 
seas gateway that handles the country one is dialing. This is done by 
entering KP+011+CC+ST. CC is the country code. When calling the over 
seas gateway, the country code should be padded to the left with zeros 
in order to make the CC 3 digits long. Once a person receives the 
international dial tone, he or she can enter KP+O+country code+city 
code+ phone number+ST. When keying in the country code to the over 
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seas gateway, the country code is not padded with zeros. One can also 
call inwards in other countries by getting the number's route from the 
universal rate and route operator (Tabas, 1985). 

Some countries do not have international direct-dial service. The 
best way around this is to connect with an inward operator in the 
closest country with international direct-dial service. Closest in 
this case meaning closest to the country that one wishes to dial into. 
He or she would then request that the inward deal with his or her call 
(Tabas, 1985). 

Recently the telephone network has been implementing Common 
Channel Interoffice Signalling(CCIS) . This method of trunk signalling 
is the same as the type we have discussed except that the 2600 Hz is 
replaced by 3700 Hz. Since nothing above 3000 Hz can be sent from a 
normal subscriber loop, this eliminates the possibility of blue boxina 
(Agent003, 1985). * 

Research is being conducted to locate test numbers that dial 
directly into trunks, therefore eliminating the need for sending a 
3700 Hz (Agent003, 1985). Also, wire taps and satellite uplinks are 
being researched, but these are currently going very slow. It is not 
very desirable to get into a Ma Bell man hole and search for the right 
wire, nor is it inexpensive to own a satellite dish. Never the less, 
it can be said that as Ma Bell comes up with new security measures to 
prevent the phone phreak from blue boxing, the phone phreak will 
discover new ways around that security. 

! This article was written for TAP ! 

Any corrections, updates, 
questions, or comments should be 
directed to the following 
address : 

Olorin the White 

C/0 TAP 

P.O. Box 20264 

Louisville, KY 40250-0264 
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Making Thermite 

By The Pyromaniac 

Thermite is a powerful substance which can burn through practically anything. 
It is especially of use in breaking into payfone cash boxes. Now, here's 
how you make it. It is very simple. The first step in making thermite is 
to make Hematite. Hematite is IRON OXIDE (Rust). Here is a good method of 
making large quantities of rust. You will electrolyze a metal rod, such as 
a IRON nail. You will need a source of DC power. A good source is a Train 
Transformer. Attach the nail to the POSITIVE wire. Now place the rod and 
the negative wire in opposite sides of a glass jar full of water. Add a 
little salt to the water (about a teaspoon) and leave it overnight. In the 
morning, there will be dark red crud in the jar. Filter all the crud from 
the water and heat in an iron pot until it turns a nice light red. The 
other ingredients you will need is aluminum filings. I suggest you buy them 
at a hardware shop. Make sure it is no less than 94% pure (Duralumin). Now 
mix it with the iron oxide. The ratio should be 8 grams of Iron Oxide per 
three grams of Aluminum filings. Thats Thermite! Now to light it. Stick 
a length of Magnesium Ribbon in a pile of the thermite (steal it from a 
chem-lab or buy it from the hardware store. If not order it from a chem 
supply house. Its pretty cheap.) The ribbon should stick into the thermite 
like a fuse. Now you light he magnesium with a blowtorch. Dont worry, the 
torch isnt hot enough to ignite the thermite. When the ribbon reaches the 
thermite, it will light. Get back from it, it can melt carbon steel so you 
can guess what it can do to human flesh. 
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